{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-guardduty/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS GuardDuty"],"_cs_severities":["high"],"_cs_tags":["defense-impairment","aws"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAn adversary may attempt to impair an organization\u0026rsquo;s defenses by manipulating the IP sets within AWS GuardDuty. GuardDuty IP sets are used to whitelist trusted IPs or blacklist known malicious IPs. By modifying these lists, an attacker can effectively disable alerts for their malicious activity, allowing them to operate undetected within the AWS environment. This activity is typically performed after initial access and lateral movement, as the attacker seeks to maintain persistence and evade detection. The changes could be made via the AWS Management Console, CLI, or programmatically through the AWS API, making it difficult to immediately recognize the change as malicious.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the AWS environment through compromised credentials or an exposed IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing GuardDuty IP sets using the \u003ccode\u003eListIPSets\u003c/code\u003e API call to identify potential targets for modification.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new IP set using \u003ccode\u003eCreateIPSet\u003c/code\u003e API call, which contains malicious IPs they intend to whitelist, or the legitimate IPs of internal scanners they wish to mimic.\u003c/li\u003e\n\u003cli\u003eGuardDuty validates the uploaded IP set list.\u003c/li\u003e\n\u003cli\u003eThe attacker activates the newly created IP set within GuardDuty, making it the active trusted or threat list.\u003c/li\u003e\n\u003cli\u003eThe attacker conducts malicious activity, such as lateral movement, data exfiltration, or resource exploitation, from the whitelisted IPs.\u003c/li\u003e\n\u003cli\u003eGuardDuty, configured with the modified IP sets, does not generate alerts for activity originating from the whitelisted IPs.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and achieves their objective (e.g., data theft, denial of service) without detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to significant data breaches, resource compromise, and prolonged unauthorized access. The modification of IP sets within GuardDuty directly impairs the ability of security teams to detect and respond to ongoing threats. By whitelisting malicious IPs, attackers can bypass security controls and operate freely within the AWS environment. The number of affected organizations depends on the scope of the compromised AWS accounts and the extent to which GuardDuty is relied upon for threat detection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS GuardDuty IP Set Creation\u0026rdquo; to your SIEM to detect suspicious creation of IP sets in GuardDuty (logsource: aws, service: cloudtrail).\u003c/li\u003e\n\u003cli\u003eInvestigate any changes to GuardDuty configurations, particularly the creation or modification of IP sets, using CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts and IAM roles to prevent unauthorized access (related to initial access).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit IAM roles and permissions to minimize the blast radius of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-aws-guardduty-ipset/","summary":"An attacker modifies AWS GuardDuty IP sets, potentially whitelisting malicious IPs to disable security alerts and impair defenses.","title":"AWS GuardDuty IP Set Manipulation for Defense Impairment","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-guardduty-ipset/"}],"language":"en","title":"CraftedSignal Threat Feed — AWS GuardDuty","version":"https://jsonfeed.org/version/1.1"}